April 03, 2009

FTC Issues Business Guidance for Identity Theft Red Flags Rule Compliance

4 min

Update:  On May 28, 2010, at the request of several Members of Congress, the Federal Trade Commission announced it is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule.   If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC indicated that it will begin enforcement as of that effective date.

Update:  On October 30, 2009, the Federal Trade Commission announced that it was postponing the implementation of the Red Flags Rule from November 1, 2009 to June 1, 2010.

Update:  On July 29, 2009, the Federal Trade Commission announced that it was postponing the implementation of the Red Flags Rule from August 1, 2009 to November 1, 2009.

Update:  On April 30, 2009 the Federal Trade Commission announced that it will delay enforcement of the new “Red Flags Rule” until August 1, 2009, “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.”

The Federal Trade Commission (“FTC”) has issued business guidance to assist entities covered by the Identity Theft Red Flags Rule (the “Red Flags Rule”) design and implement identity theft prevention programs.  The Red Flags Rule requires “financial institutions” and “creditors” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”

“Fighting Fraud with the Red Flags Rule: A How-To Guide for Business” is available at: www.ftc.gov/redflagsrule.  The business guidance describes the entities that are covered by the Red Flags Rule and provides information to help them develop identity theft prevention programs.  Although the Red Flags Rule became effective on November 1, 2008, for entities under the FTC’s jurisdiction, the FTC has delayed enforcement of the Rule until May 1, 2009.

The Red Flags Rule covers financial institutions and creditors (“covered entities”).  The Red Flags Rule defines a “financial institution” to include institutions under the jurisdiction of the federal bank regulatory agencies and/or the National Credit Union Administration, and any other person, that directly or indirectly, holds a transaction account belonging to a consumer.  FTC guidance provides examples of financial institutions under the FTC’s jurisdiction, including state-chartered credit unions, mutual funds that offer accounts with check-writing privileges, or other institutions that offer accounts where the consumer can make payments or transfers to third parties.  “Creditors” are defined as businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.  Covered entities must conduct a risk assessment to determine if they have “covered accounts,” which include consumer-type accounts or other accounts for which there is a reasonable risk of identity theft. 

Even if your organization is not required to have an ITPP, you at least may have to do a risk assessment to decide if the “credit” arrangements you enter into with your customers, vendors, advertisers, purchasers, and others present a reasonably foreseeable risk of identity theft (“ID theft”), which the Red Flags Rule defines as a fraud committed or attempted using the identifying information of another person without authority.  “Red Flags” means a pattern, practice or specific activity that indicates the possible existence of ID theft.

Even a low-risk covered entity needs to have a written ITPP that is approved either by its Board of Directors or an appropriate senior employee.  Since risks change, there is an obligation to assess the ITPP periodically to keep it current.  Likewise, because business models and services change, organizations should periodically assess whether or not they are a covered entity subject to the Red Flags Rule.

The FTC and the federal financial regulatory agencies developed the Red Flags Rule under the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”).  The Red Flags Rule is designed to reduce the overall incidence and impact of identity theft. 


*  *  *  *  *  *

Many organizations will be considered “financial institutions” or “creditors” under the Red Flags Rule, and many of these organizations will have “covered accounts” as defined by the Red Flags Rule. It is crucial that all organizations coming within the Red Flags Rule coverage have an ITPP in place no later than May 1, 2009.  Given the risk-based nature of the Red Flags Rule’s requirements, the requirements are flexible and may be tailored to the degree of identity theft risk faced by the particular company and activity.


*  *  *  *  *  *

For more information, please contact Jonathan Pompan at 202-344-4383 or jlpompan@venable.com.

This article is not intended to provide legal advice or opinion and should not be relied on as such.  Legal advice can only be provided in response to specific fact situations.